Post

AWS Security

AWS IAM:

  • Centrally manage and control security permissions for any identity requiring access to your AWS account and its resources

AWS WAF:

  • Protection for your web apps or CloudFront distributions from common attack patterns (SQL Injection / Cross Site scripting)

AWS Firewall Manager:

  • WAF managed between multiple AWS organizations

AWS Shield:

  • Protection from DoS/DDoS attacks

AWS Cognito:

  • Web and Mobile federated access

Identity & Access Management

  • IAM service is used to centrally manage and control security permissions for any identity requiring access to your AWS account and its resources.

Users

  • Users are objects created to represent an identity

  • Can be configured to have AWS Management Console Access, or programmatic access

  • Programmatic access requires an access key ID and secret access key ID

  • Configuring MFA allows for an additional level of security to be applied

  • Permissions can be applied to Users

  • Each user must be unique within the AWS Account

Groups

  • Groups are used to authorize access to AWS resources, through the use of AWS Policies

  • They contain IAM Users

  • Have IAM Policies associated that will allow or explicitly deny access to AWS resources

  • Policies can be AWS managed or customer managed policies

  • Groups normally relate to a specific requirement or job role

  • Any users that are a member of that group inherit the permissions applied to the group

  • Users can belong to more than one group

Roles

  • Roles allow users and other AWS services and applications to adopt a set of temporary IAM permissions to access AWS resources

  • Users must adopt a role to use it

  • EC2 instances can be associated with a role granting permissions for that instance to access AWS resources on an applications behalf

  • AWS Service Role: Used by other services that would assume the role to perform specific functions

  • AWS Service-Linked Role: Very specific pre-defined roles that are associated to certain AWS services

  • Cross-Account Roles: Provides access between AVVS accounts

  • Identity Provider Access Role: Grants access to web identity provider / single sign on to SAML providers

Policies

  • IAM policies are used to assign permissions to users, groups, and roles

  • Formatted as JSON documents

  • Each policy will have at least one statement with a number of parameters

  • Action: These are the actions that the policy permits or denies and focus on API calls for different services

  • Effect: This element can either be set to allow or deny. A ‘deny takes precedence over an ‘allow’ when evaluating permissions

  • Resource: Specifies the resource you wish the and “Effect” to be applied to referenced by its ARN

  • Condition: This is an optional element which allows you to control when the permissions will be effective based upon set criteria

  • Principal (only used by resource-based policies such as S3 bucket policies): Defines the identity that the policy refers to, for example a specific IAM user

  • You can have either Managed Policies or In-line Policies

  • Managed policies are AWS Managed or Customer and can be attached to multiple users or groups

  • Inline Policies are directly embedded into a specific user, Group, or Role

  • Policy evaluation: By default, all access to a resource is denied. Access will only be allowed if an explicit ‘“Allow” has been specified. If a single “Deny” exists within any policy associated to the same identity against the same resource, then that “Deny” will override any previous “Allow” that may exist for the same resource and action

  • An explicit “Deny” will always take precedence over an explicit “Allow”

AWS Web Application Firewall (WAF)

  • The main function of AWS WAF is to provide protection of your web applications from malicious attacks and risks for example:

  • SQL Injection

  • Cross site scripting

  • The OWASP Top 10 security risks

  • Common Vulnerabilities and Exposures (CVE)

  • Integrated with Amazon CloudFront distributions, Application Load Balancers and API Gateway

  • Used to distinguish between harmful and the legitimate requests to your applications and site.

  • Will protect and block harmful traffic

  • Web Access Control Lists are associated to a resource for example a CloudFront distribution

  • Web ACLs contain conditions and Rules

  • Conditions specify what element of the incoming request should be analysed by WAF

  • Rules contain the conditions that you want to use to filter the incoming web requests

  • using both the rules and conditions you block, allow or account the traffic

  • Rules are added to the Web Access control list

  • WAF rules are executed in the order that they appear within a Web ACL

AWS Firewall Manager

  • Firewall Manager has been designed to help you manage WAF in a multi-account environment with simplicity and control

  • It automatically protects resources that are added to your account as they become active

  • Prerequisites Of using Firewall Manager include:

  • You must ensure that your AWS Account is a part of an AWS Organization with all features enabled, not just consolidated billing

  • You must define which AWS account will act as the Firewall Manager Admin account

  • You must have AWS Config enabled

  • Firewall manager used WAF rules, rule groups and Firewall Manager policies

  • Rule groups allow you to group together one or more WAF rules that will all have the same action applied when the conditions are met within a rule

  • You can create your own rule group or purchase existing rule groups pre-configured with set AWS WAF rules

  • You can only have 10 rules per rule group which can’t be increased

  • Firewall Manager Policies contain the rule groups that you want to assign to your AWS resources

  • Used to manage WAF rules between multiple accounts. AWS WAF rules are selected first, which contain conditions. WAF rules can then be added to a rule group which will have either a block or alow acount action associated. Finally, a rule group is then added to an AWS Firewall Manager Policy which is then associated to AWS resources, such as your cloud front distributions or application load balances.

AWS Shield

  • AWS Shield is closely related to both AWS WAF and also the AWS Firewall Manager

  • It has been designed to help protect your infrastructure against distributed denial of service attacks, commonly known as DDoS.

AWS Shield Standard

  • Free to all AWS customers

  • Offers DDoS protection against some common layer 3 and 4 DDoS attacks

AWS Shield Advanced:

  • Contains the full set of protective features

  • Offers enhanced protection to EC2, CloudFront, ELB and Route 53

  • Access to a DDoS response team (DRT) at AWS

  • Offers protection against layer 3, 4 and 7

Amazon Cognito

  • Amazon Cognito is an authentication and user management service used commonly with web and mobile applications

  • Offers full integration with external identity providers (Apple, Facebook, Google, and Amazon, etc)

  • Integrates with your own Active Directory using SAML

  • It uses Users Pools and Identity Pools for governing authentication and verification access

User Pools:

  • Used to create and maintain a directory of your users for your mobile or web application

  • Manages sign up, and signing in for you users

  • Utilise external Identity providers, such as Facebook, Amazon etc, or by using SAML for MS-AD

Identity Pools:

  • Provide temporary access AWS Credentials for your authenticated users or unauthenticated guests

  • Operates in conjunction with User pools

  • Allows your users to access AWS services sitting outside of your application

  • Ability to federate using external identity providers

  • The main is that User pools provide a method of authentication through identity verification allowing them to sign into your web or mobile application using an identity provider or the local Cognito user directory. Where as Identity pools are typically used to help control access using temporary credentials to access AWS services on your applications behalf

This post is licensed under CC BY 4.0 by the author.

Comments powered by Disqus.